LogRhythm NetMon has helped us create a more robust environment. We have more effective monitoring.

With other solutions it's a lot of care and feeding to keep it going, making sure that your alarms and use cases are built out. With the Network Monitor it's pulling packets right off the network and doing that deep packet analytics. You're able to look right off the wire and get a true picture of what's going on. "Did this person send out an email? Did this person go to this website? Is this application running on our network in these certain areas?" You can get a very granular look.

It provides data in a user-friendly interface that I can pull off and get to management.

It does packet captures as well, so if I really wanted to dig into it I could pull those down. I could run those through other tools as well.

You can really really dig into it with some other packet-analysis tools we have. But just having it there, it's incredibly smart, incredibly easy to use, and the breadth of information we get off it is really good for investigations for us.

We're running a single XM appliance, LogRhythm side. We're just under 2000 events a second. Our entire stack is VMware ESXi. We're completely virtual. We have two datacenters, about 300 VMs. We're also aggregating logs from all of our network equipment. We have 200 remote sites that all push their logs back to our data center.

We're very young in our deployment, out six months. We have yet to really derive substantial benefit from it. What we've seen so far has been, when we see events we can go back and drill into it, and see the path, see the kill chain. But we haven't made it to the point where we have tuned our alarms, yet. I expect it to do all of these things, we just haven't made it there yet.

The goal is to protect our users, certainly. Our environment is set up much like a retail environment. We have the vast majority of my users directly interfaced with the public. Their computers or their devices exist in the wild, not behind my corporate firewall. The overriding goal is to protect that equipment, protect those users, and then of course protect myself from anything that would happen if one of those devices or users is compromised. The challenges are really the same. All of these devices exist in the wild. They're not behind my firewall, they are out on the open internet daily, on a regular basis. That is the biggest challenge, making sure that those devices are visible to us, and that we can collect data, collect logs from those devices.

Again, we're so young in our deployment, that the perception is that there is a lot of potential there. We know that we have a long way to go to tune it, to onboard all of the log sources. The impression so far is very, very good. We were sold on the product based on the fairly narrow use cases that the sales reps gave us. What we're seeing during our usage is that we can get there. Again, we're so young in the deployment that we haven't made it to that point yet. But we definitely see the potential, we're very excited about the potential.

We simply enabled the out of the box DPA rules within network monitor to look for Ransomware via SMB traffic and other types of attacks such as DNS hijacking where external DNS is being used instead of internal, and it was happening in our network environment